Conventionally, as a standard for performing cryptographic communication via a network such as the Internet, IPSec (Security Architecture for Internet Protocol), which has been standardized by IETF (Internet Engineering Task Force), an organization for standardization of the Internet, and which is in conformity with provisions about frame configuration, encryption and decryption of data, falsification checking and the like, is shown in RFC (Request for Comments) 2401 (hereinafter referred to as Non-patent Literature 1). As other cryptographic communication protocol standards, there are SSL (Secure Sockets Layer), TLS (Transport Layer Security) and the like. According to these standards, agreement is made in advance on SA (Security Association) information such as encryption and decryption, signature and keys for verification, encryption and decryption algorithms, signature and verification algorithms, protocols and the like. The agreement on the SA information is performed in conformity with the IKE (Internet Key Exchange) protocol or the Handshake protocol, which are key exchange protocols.
The IPSec function is implemented on a terminal as required. In addition, the IPSec function is also implemented on a packet cryptographic processing proxy apparatus in a VPN (Virtual Private Network), a unique network which is constructed with the use of the Internet and for which IPSec is specified as the standard protocol. That is, for example, the IPSec function is provided in a gateway which connects the Internet and a LAN (Local Area Network), and the gateway performs cryptographic processing on packets on behalf of each terminal (hereinafter referred to as an internal terminal) connected to the LAN. That is, when performing communication with an internal terminal connected to the LAN without encrypting data, a terminal connected to the Internet (hereinafter referred to as an external apparatus or a counterpart apparatus) only has to set the IP address and the like of the internal terminal on the LAN into the packets. However, when encrypting data, the external apparatus sets the IP address and the like of the internal terminal on the LAN; generates a packet including the IP address and data; performs predetermined encryption for the entire packet; generates a packet by setting the IP address and the like of a gateway which also acts as a packet cryptographic processing proxy apparatus for the encrypted packet; and sends the packet. The gateway which has received this packet decrypts the packet and sends the decrypted packet to an internal terminal on the LAN based on the IP address indicated by the header. Accordingly, the gateway in this case also acts as a packet cryptographic processing proxy apparatus (referred to as a first conventional technique).
As such a packet cryptographic processing proxy apparatus, for example, Japanese Patent Application Laid Open No. 2003-304227 (hereinafter referred to as Patent Literature 1) shows such one that is connected to a closed-type network the accesses to which are restricted and substitutes cryptographic communication with a terminal (corresponding to an external apparatus) connected to an open-type network which is connected to the closed-type network via a gateway, on behalf of an internal terminal connected to the closed-type network (hereinafter referred to a second conventional technique).
A conventional packet cryptographic processing proxy apparatus shown in this Patent Literature 1 will be described with reference to FIG. 8. As shown in FIG. 8, between an in-home node (internal terminal) 122 connected to a home network 104, which is a closed-type network, and an external node (external apparatus) 106 connected to the Internet 102, which is an open-type network, cryptographic communication is performed via a home gateway 108 which intervenes between the Internet 102 and the home network 104. The in-home node (in this case, a microwave oven) 122 is not provided with data processing performance enough to perform encryption and decryption processing. Therefore, a cryptographic-processing substitution in-home server 120 is connected to the home network 104 as a packet cryptographic processing proxy apparatus so that the in-home server 120 substitutes processing of data encryption and decryption for performing encrypted communication between the in-home node 122 and the external node 106, on behalf of the in-home node 122.
When the external node 106 activates cryptographic communication, the external node 106 sends a cryptographic communication request packet to the microwave oven 122, which is an in-home node, via the Internet 102, the home gateway 108 and the home network 104 (S21). Data in the cryptographic communication request packet is data required for the external node 106 to establish cryptographic communication with the microwave oven 122, which is an in-home node, and used for inquiring of the microwave oven 122. When receiving such a cryptographic communication request packet, the microwave oven 122 sends a cryptographic communication acceptance packet to the external node 106 through a reverse path (S22). Data in the cryptographic communication acceptance packet indicates acceptance of cryptographic communication and includes the network address of the in-home server 120 connected to the same home network 104.
The external node 106, which has received the cryptographic communication acceptance packet, sends a cryptographic communication substitution request packet to the in-home server 120, which is a specified cryptographic communication proxy server, via the Internet 102, the home gateway 108 and the home network 104 (S23). The in-home server 120, which has received the cryptographic communication substitution request packet, sends a cryptographic communication substitution acceptance packet to the external node 106 (S24). Thereby, the external node 106 confirms that cryptographic communication with the in-home node 122 is to be substituted. After confirming that the in-home server 120 is to substitute cryptographic communication with the in-home node 122 or by omitting all or a part of the confirmation, the external node 106 sends an encrypted data packet to the in-home server 120 in accordance with a predetermined procedure (S25). The in-home server 120, which has received the data packet encrypted in the predetermined procedure, decrypts the received data packet, and sends the decrypted data packet to the in-home node 122 (microwave oven), which should be an originally intended communication counterpart, via the home network 104 (S26). Thereby, the in-home node 122 (microwave oven) can realize cryptographic communication with the external node 106, which is the originally intended purpose, without processing ability for advanced encryption and decryption.
In order to execute a key exchange protocol in IPSec, communication is performed multiple times between apparatuses which mutually agree on SA information. Furthermore, a lot of computation processing amount is required by the communication, which imposes a considerable load on the apparatuses. If, to cope with this, an SA information agreement function is provided for a small-sized terminal in a home, such as electronic equipment provided with a cryptographic-processed communication function, the scale of hardware and software is increased, and the size and the price are also increased. From this point of view, it is proposed, for example, in Japanese Patent Application Laid Open No. 2003-179592 (hereinafter referred to as Patent Literature 2) that, though a terminal is provided with a cryptographic processing function, processing of agreeing on SA information is substituted by a key exchange proxy apparatus on behalf of the terminal. According to the key exchange substitution technique shown in this Patent Literature 2, when a terminal which is connected to a network and which is provided with a cryptographic processing function but is not provided with a key exchange function, performs packet cryptographic communication with a communication counterpart terminal which is connected to the network and provided with a key exchange function, the terminal first requests exchange of common keys to be used for a cryptographic communication signal with the communication counterpart terminal, from a key exchange proxy server connected to the network, and the key exchange proxy server performs key exchange processing with the communication counterpart terminal on behalf of the terminal based on the request and sets an agreed common key for the terminal. After that, the terminal uses the agreed common key to perform packet cryptographic communication with the communication counterpart terminal.
It is shown in Japanese Patent Application Laid Open No. 2003-289299 (hereinafter referred to as Patent Literature 3) to cause a gateway to perform such a key exchange substitution processing.
In the first conventional technique, when sending a packet to a terminal on a LAN without encrypting the packet, an external apparatus connected to the Internet only has to simply set the IP address of the terminal on the LAN. However, when encrypting and then sending a packet, the external apparatus is required to encrypt the packet, set the IP address or the like of a gateway (packet cryptographic processing proxy apparatus) for the encrypted packet as data, and then send the packet. That is, the termination of a packet which is not encrypted is the terminal on the LAN, and the termination of an encrypted packet is the gateway. Thus, it is necessary to set the IP address or the like of a gateway in the case of performing cryptographic communication, and it is troublesome to set, for communication with the same terminal, the IP address or the like of a gateway in addition to the IP address or the like of the terminal.
In the second conventional technique, the termination of an encrypted packet is the in-home server 120 which corresponds to the packet cryptographic processing proxy apparatus, and the termination of the sending destination of the packet is the terminal (microwave oven) 122. Therefore, when the in-home server 120 is introduced, a counterpart apparatus connected to the Internet is required to change setting information such as the IP address, depending on whether or not to use cryptographic communication, which presents a problem that the communication counterpart (a person who operates the counterpart apparatus) is required to perform troublesome setting, similarly to the first conventional technique. Furthermore, in this second conventional technique as described above, there is also a problem that it requires a lot of trouble to perform cryptographic communication, such as making a cryptographic communication request to the microwave oven 122 first, receiving specification of a proxy server, making a cryptographic communication substitution request again to the server 120 to receive its acceptance, and then sending an encrypted packet.    Patent Literature 1: Japanese Patent Application Laid Open No. 2003-304227    Patent Literature 2: Japanese Patent Application Laid Open No. 2003-179592    Patent Literature 3: Japanese Patent Application Laid Open No. 2003-289299    Non-patent Literature 1: RFC (Request for Comments) 2401